cluster/simulacrum/nowhere: make optional
This commit is contained in:
parent
d784ee0a86
commit
c0d21f6b86
2 changed files with 38 additions and 35 deletions
|
@ -58,44 +58,46 @@ in
|
|||
imports = [
|
||||
./options.nix
|
||||
];
|
||||
defaults = {
|
||||
networking.hosts."${getNodeAddr "nowhere"}" = lib.attrNames config.nowhere.names;
|
||||
security.pki.certificateFiles = [
|
||||
"${ca}/ca.pem"
|
||||
];
|
||||
};
|
||||
|
||||
nowhere.certs = {
|
||||
inherit ca;
|
||||
intermediate = genCert [ "--config=${cfsslConfigIntermediateCA}" "--profile=intermediate" ] {
|
||||
CN = "Simulacrum Intermediate CA";
|
||||
config = lib.mkIf config.nowhere.enable {
|
||||
defaults = {
|
||||
networking.hosts."${getNodeAddr "nowhere"}" = lib.attrNames config.nowhere.names;
|
||||
security.pki.certificateFiles = [
|
||||
"${ca}/ca.pem"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
nodes.nowhere = { config, depot, ... }: {
|
||||
networking = {
|
||||
firewall.allowedTCPPorts = [ 443 ];
|
||||
interfaces.eth1.ipv4.routes = lib.mapAttrsToList (name: hour: {
|
||||
address = hour.interfaces.primary.addrPublic;
|
||||
prefixLength = 32;
|
||||
via = getNodeAddr name;
|
||||
}) depot.gods.fromLight;
|
||||
nameservers = map (name: depot.hours.${name}.interfaces.primary.addrPublic) cluster.config.services.dns.nodes.authoritative;
|
||||
nowhere.certs = {
|
||||
inherit ca;
|
||||
intermediate = genCert [ "--config=${cfsslConfigIntermediateCA}" "--profile=intermediate" ] {
|
||||
CN = "Simulacrum Intermediate CA";
|
||||
};
|
||||
};
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
virtualHosts = lib.mapAttrs (name: link: let
|
||||
cert = genHostCert name;
|
||||
in {
|
||||
forceSSL = true;
|
||||
sslCertificate = "${cert}/cert.pem";
|
||||
sslCertificateKey = "${cert}/cert-key.pem";
|
||||
locations."/" = {
|
||||
proxyPass = config.links.${link}.url;
|
||||
extraConfig = "proxy_ssl_verify off;";
|
||||
};
|
||||
}) lift.nowhere.names;
|
||||
|
||||
nodes.nowhere = { config, depot, ... }: {
|
||||
networking = {
|
||||
firewall.allowedTCPPorts = [ 443 ];
|
||||
interfaces.eth1.ipv4.routes = lib.mapAttrsToList (name: hour: {
|
||||
address = hour.interfaces.primary.addrPublic;
|
||||
prefixLength = 32;
|
||||
via = getNodeAddr name;
|
||||
}) depot.gods.fromLight;
|
||||
nameservers = map (name: depot.hours.${name}.interfaces.primary.addrPublic) cluster.config.services.dns.nodes.authoritative;
|
||||
};
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
virtualHosts = lib.mapAttrs (name: link: let
|
||||
cert = genHostCert name;
|
||||
in {
|
||||
forceSSL = true;
|
||||
sslCertificate = "${cert}/cert.pem";
|
||||
sslCertificateKey = "${cert}/cert-key.pem";
|
||||
locations."/" = {
|
||||
proxyPass = config.links.${link}.url;
|
||||
extraConfig = "proxy_ssl_verify off;";
|
||||
};
|
||||
}) lift.nowhere.names;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
{
|
||||
options.nowhere = {
|
||||
enable = lib.mkEnableOption "Nowhere";
|
||||
names = lib.mkOption {
|
||||
description = "Hostnames that point Nowhere.";
|
||||
type = with lib.types; attrsOf str;
|
||||
|
|
Loading…
Reference in a new issue